Solved: Re: Access LIst and port 80 redirection

jaydunn · ‎10-08-2002

I have a filtering appliance which all of my port 80 traffic is redirected to via my Cisco 7507 router.

However, I have 3 devices ( each with it's own IP address ) which I would like to NOT have port 80 redirected to the filtering appliance. The filter people tell me I have to do this in my router, but I have not yet been able to figure out how to tell it to redirect Port 80 for all BUT these 3 addresses.

I include the Access list lines and redirection lines from the router here.

This is from documentation provided by the filtering vendor to redirect Port 80 to filtering appliance, which is 10.59.1.11 .

-------------------------------------------------------------------------------------------------

ip local policy route-map N2H2

access-list 198 permit tcp host 10.59.1.25 any eq www

access-list 198 permit tcp host 10.59.1.20 any eq www

access-list 198 permit tcp host 10.59.1.21 any eq www

access-list 199 deny tcp host 10.59.1.11 any eq www

access-list 199 deny tcp host 10.59.1.2 any eq www

access-list 199 deny tcp host 63.204.88.5 any eq www

access-list 199 deny tcp host 10.59.10.2 any eq www

access-list 199 permit tcp any any eq www

access-list 199 deny tcp host 10.59.10.12 any eq www

access-list 199 deny tcp host 10.59.1.21 any eq www

access-list 199 deny tcp host 10.59.1.20 any eq www

access-list 199 deny tcp host 10.59.1.25 any eq www

route-map N2H2 permit 1

match ip address 199

set interface FastEthernet6/0/0 Ethernet1/0

set ip next-hop 10.59.1.11

set ip precedence routine

!

route-map N2H2 permit 2

match ip address 198

set ip next-hop 10.59.1.3

------------------------------------------------------------------------------

What I need to do it redirect all Port 80 traffic EXCEPT that for the following IP addresses:

10.59.1.2

10.59.1.20

10.59.1.25

10.59.1.21

All suggestions or assistance will be greatly appeciated.

thisisshanky · ‎10-08-2002

Yes,

If the permit statement comes first, it matches traffic to any destination, which will include (.21, .20, .25, .2 ) and the route map will policy route the traffic.

So the permit statement should follow, the deny statements.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

View solution in original post

thisisshanky · ‎10-08-2002

Can you give some more info as to what is 10.59.1.11 and 10.59.1.3.

Also what device is connected to fa6/0/0 and e1/0.

I guess, this is what you need.

All addresses from which port 80 traffic is coming needs to be redirected to N2H2 filtering server, except for those coming from 10.59.1.2, 10.59.1.20,.25 and .21.

If this is case...you need to do this.

Define an access-list which "permit" all the address which you want to redirect to the N2H2 server. Let this be ACL 100

route-map N2H2 permit 10

match ip add 100

set ip next-hop

route-map N2H2 permit 20

Instance 10 of the route map matches those traffic which needs redirection and packets matching this policy will be policy routed to the server. Instance 20, would normally route those traffic which doesnt match ACL 100. This would include the ip addresses you doesnt want to be redirected to N2H2 server.

also apply the route-map on the interface which receives this traffic and not as local. Local policy routing is used for thos epackets generated by the router.

so your config would look like,

int e0/0

ip policy route-map N2H2.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jaydunn · ‎10-08-2002

10.59.1.11 is the filtering appliance.

10.59.1.3 is a port on the router that connects the cable segment the filtering appliance is on.

I already have the "ip policy route-map N2H2" command in all of my interfaces and it's working for redirecting port 80 to the filter, I just need to know how to tell it NOT to redirect those addresses I listed.

I'm still a bit confused about how to create the access lists. I have never understood them well. The "route-map N2H2 permit 20" has me a bit confused. Do I create a special access list for that, and if so, how? I have all my access list command in the original post for this.

Thanks.

jaydunn · ‎10-08-2002

I think the confusion may be that I need the policy route-map to redirect all traffic coming from say cable segment 10.xx.yy.zz for port 80 to the filter. But I do NOT want traffic coming from 10.xx.yy.zz to on port 80 to 10.59.1.25 to be route-mapped to the filter.

thisisshanky · ‎10-08-2002

Ok.

Let make it clear about the traffic pattern you are interested in....

Do you want to redirect all traffic from 10.xx.yy.zz on port 80 to be redirected to the N2H2 server, except for those which are going to 10.59.1.25, .21, .2, etc

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jaydunn · ‎10-08-2002

Yes that is it exactly, all traffic from 10.xx.yy.zz in port 80 to N2H2 server, except that port 80 traffice for 10.59.1.20, 10.59.1.21, 10.59.1.25, 10.59.1.2

thisisshanky · ‎10-08-2002

Hope this makes things clear for you..

i am assuming xx = 10, yy = 20, zz = 0 and mask = /24.

access-list 100 deny tcp 10.10.20.0 0.0.0.255 host 10.59.1.20 eq 80

access-list 100 deny tcp 10.10.20.0 0.0.0.255 host 10.59.1.21 eq 80

access-list 100 deny tcp 10.10.20.0 0.0.0.255 host 10.59.1.25 eq 80

access-list 100 deny tcp 10.10.20.0 0.0.0.255 host 10.59.1.2 eq 80

---the above access list matches all http traffic originating from 10.10.20.0 network as source and going to the above destinations on port 80.

access-list 100 permit tcp 10.10.20.0 0.0.0.255 any eq 80

-- the above acl entry will permit all http traffic originiating from 10.10.20.0 network as source and going to any destination on port 80.

Now route map defintion....

route-map N2H2 permit 10

match ip address 100

set ip next-hop

In route-maps, the match clause defines the matching conditions, while set clause defines the steps to be done if a match is found. In this route-map.one instance of the route-map is created -----instance 10

Those packets which are denied by the ACL 100 would be normally routed. That means, traffic going on port 80 to 10.59.1.25. .21, .20, .2 wont be matched due to deny statement, and hence normally routed. But all other traffic would be permitted by the ACL 100 and hence policy routed.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jaydunn · ‎10-08-2002

Yes that makes good sense, thanks for clearing it up for me.

I have several cable segments coming into that router. They all start with either 10.59.x.y or 10.60.x.y, so I assume I can modify the above statments to read like (EXAMPLE):

access-list 100 deny tcp 10.59.0.0 0.0.255.255 host 10.59.1.20 eq 80

etc.

And then the permit would be:

access-list 100 permit tcp 10.59.0.0 0.0.255.255 any eq 80

Thanks for the help.

thisisshanky · ‎10-08-2002

Yep, thats right,

The order of definition of statements is very important.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jaydunn · ‎10-08-2002

OK so the permit statement(s) MUST follow the deny statements or it will execute the permit statements first. Right?

thisisshanky · ‎10-08-2002

Yes,

If the permit statement comes first, it matches traffic to any destination, which will include (.21, .20, .25, .2 ) and the route map will policy route the traffic.

So the permit statement should follow, the deny statements.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

jaydunn · ‎10-08-2002

THANKYOU. I just put this into my router and it appear to be working great.

THANKS AGAIN!!!!!

thisisshanky · ‎10-08-2002

You r welcome!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus